If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

How to compare password to encrypted password?

I have been working on a website, (one of my first) and I have ran into a problem with the passwords. I found the below code to encrypt a password, which is what gets stored in the data base. I assumed that when the user enters his or her username and password, I could simply grab the password, do the same thing with it, compare that with what is in the database and it would be the same encrypted string, but it is not.

How can I do this? I don't have to use the code below to encrypt the password. I am sure there are many ways.

That makes perfect sense after you pointed it out. I didn't think about the MCRYPT_DEV_URANDOM part of the algorithm.

Is there a better way to do that? It seems that storing the salt would make it much easier for someone to crack the passwords if they get access to the database. Not that I am storing anything that is sensitive but I would like to do it right.

The main purpose of using a salt is so that a cracker cannot simply use a pre-generated "rainbow table" of hashed passwords to search against with the hashed values in your DB. By using a different salt on each password, they would now have to regenerate a new rainbow table for each such salt - and do it twice if they have to guess whether it's being added to the beginning or the end. The best security practice is still to get/force the users to use very strong passwords. ("E5-tc!2_xM34-" is not going to appear in many rainbow tables. )

by using an arbitrary row from the database any hack attempt that get hold of you password would not know what the salt key would be.

Another decent option. It's all about defense in layers: the more hoops you make a cracker jump through, the more likely it is he'll look for easier pickings -- unless you have "heroin content" that he just has to have.

This whole area is very difficult to implement correctly without having a very good understanding of cryptography. I recently wrote a user management area in PHP and when I started researching this properly, I came to the conclusion that implementing this is not that straightforward.

The solution I ended up with is Openwall's Portable PHP Password Hashing Framework. This is e.g. what Wordpress (and many other projects) use for storing passwords, and makes the job very easy. Personally I would highly recommend anyone to use this instead of trying to come up with your own solution using PHP's encryption functions, because unless you have a very, very good understanding of encryption in this context, it's easy to get the implementation wrong.

I hadn't hear about that, that's an excellent move by PHP, sorely needed.

Hmm, personally I think I'll still keep using Openwall's Portable PHP Password Hashing Framework for a while though, since it's mature. I'll wait until PHP 5.5 is more widely used and further stabalised and then start using the new built in functions for new projects, as they are definitely the way to go ultimately.